Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes

Google has rolled out its newest browser version (Chrome 67.0.3396.62) for Windows, Mac and Linux this week with new security fixes and biometric features.

Google updated its Chrome browser to version 67.0.3396.62 on Tuesday patching 34 bugs and adding support for the credential management API called WebAuthn. The update will be available in the coming days for Windows, Mac and Linux platforms, Google said.

Most notably to the browser update are mitigations for Spectre. The fix includes an added feature called Site Isolation that essentially separates the processes between different tabs – so that if one tab crashes, the others will continue to work. This also protects against speculative side-channel CPU vulnerabilities like Spectre because it reduces the amount of data exposed to side channel attacks.

“We’re continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67,” said Chrome in its security release. “Site Isolation improves Chrome’s security and helps mitigate the risks posed by Spectre.”

Bug fixes for Chrome 67 include nine rated high. One of them is an out of bounds memory access bug (CVE-2018-6130) in Web Real Time Communication (WebRTC), which is an open-source project providing web browsers with real-time communication through simple APIs. Google also patched a heap buffer overflow glitch in open source graphics library Skia (CVE-2018-6126) and an overly permissive policy bug (CVE-2018-6125) in the WebUSB API, which provides a way to expose USB device services to the Web. Below is a full list of the vulnerabilities fixed that are rated high.

CVE-2018-6123: Use after free in Blink.

CVE-2018-6124: Type confusion in Blink.

CVE-2018-6125: Overly permissive policy in WebUSB.

CVE-2018-6126: Heap buffer overflow in Skia.

CVE-2018-6127: Use after free in indexedDB.

CVE-2018-6128: uXSS in Chrome on iOS.

CVE-2018-6129: Out of bounds memory access in WebRTC.

CVE-2018-6130: Out of bounds memory access in WebRTC.

CVE-2018-6131: Incorrect mutability protection in WebAssembly.

Part of the Google update also included the introduction of the WebAuthn API into Chrome 67. This API enables users to log into their accounts using alternative methods such as with biometric options ranging from fingerprint readers, iris scans or facial recognition. Mozilla has also recently packaged this feature into Firefox a few weeks ago with the release of Firefox 60.

Finally, the latest version of Chrome has deprecated the browser’s support for HTTP public key pinning; instead adopting the more flexible solution of Expect-CT headers. This plan was first announced in 2017 after Google argued that public key pinning runs the risk of leaving website admins open to difficulties selecting a reliable set of keys to pin to.

Chrome 67 for desktops is currently available. Android and Chrome OS versions will follow soon after.

Discussion

Chrome 67 is another forced update that leaves the user in the dark! After updating my screen went black and my google user names (previously stored) have completely disappeared. I have to type in my email address every time. Is that progress? I think not. Can I return to Chrome 66? I would like to try!

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.